Risk Management Cycle Accessible Version

Service Evaluations are conducted by the Information Security Office, usually before a product, application, or service is used to make sure it can be implemented securely. Risk assessments are primarily completed by the owners and custodians of information resources on a recurring basis after their first year of use to make sure the resources are still secure and to compare their security posture to that of other resources.

Some products are offer a feature lineup similar to in-place services offered by IT, and where there’s redundancy, there isn’t much incremental benefit for the risk that comes with those duplicated services. In other cases, Texas State doesn’t have a business-to-business agreement with the service provider, so there’s neither contractual protection for the information that it may handle nor an ability for effective, enterprise-grade management, support, and oversight.

University policy, state laws that drive policy creation, and best practice all require that the Information Security Office evaluate products prior to procurement or use. The same policies and practices require that the ISO facilitate ongoing risk assessments for certain moderate- and high-risk information resources so the risks posed by their use can be measured and mitigated as appropriate.

Yes, both service evaluations and risk assessments are required by university-level policy.

Yes, both service evaluations and risk assessments are required by university-level policy. Teams under the Office of Research and Sponsored Programs may also require additional procedures that involve the ISO to help ensure the goals of a grant or project can be met while protecting the information involved.

The Information Security Office has not yet been able to evaluate all of the institution’s products and services under its current processes. Historic purchases may have been evaluated under different criteria, or the way in which they were purchased may have prevented the ISO from learning about it until later.

The request form helps provide the ISO with accurate information about how you or your department use the software or service, including the types of data involved and how many users there will be.

If a request is particularly urgent, please let the ISO know. Some parts of the review can be expedited based on requesters’ timelines; however, some portions rely on vendors’ diligence and willingness to provide the information needed to conduct the evaluation.

In most cases, yes, if for nothing else than product and risk inventory purposes. Even free and open-source products often come with terms of use that could have negative consequences for the university. Unfortunately, even free products have the potential be the cause of a major incident.

Developed by members of EDUCAUSE, the HECVAT (short for “Higher Education Cloud Vendor Assessment Tool”) is a standardized self-assessment intended for vendors to complete for prospective, higher-education customers. The HECVAT is intended to provide the ISO nearly all the information needed to assess a vendor’s security posture to help ensure it’s an appropriate tool for the job and place for the data it will handle.

Just as different departments have different business processes, they may also use software and services differently from one another. Contextual information, including classification of data that will be handled, can make a big difference in whether a product can be authorized. In other words, something authorized for handling small volumes of public information may not have a security posture commensurate for high volumes of confidential data. 

No, the ISO can begin an evaluation at any time in your selection process well ahead of a purchasing decision being made. If a department is still narrowing their field of options, the ISO would prefer to evaluate only the front-runners to prevent wasted time and efforts.

No, the ISO does not charge back for service evaluations.

Go to the Beacon login page and log on with your NetID and password. Beacon is only accessible from the campus network and the Remote Access VPN portal.

State administrative code (Texas Administrative Code 202.72.1.A.H and 202.75) requires that information resource owners participate in risk assessments of the resources for which they are responsible. The ISO helps facilitate this process through formalized risk assessments and the service evaluation process, but the ISO cannot answer resource-specific questions on behalf of information resource owners.

Information resource owners are required to participate in the risk assessment process. Formal and informal (university-employed) information resource custodians may, however, assist with answering questions and providing background information. The ISO can also help provide clarification as necessary.

Please contact the ISO as soon as possible at InfoSecGRC@txstate.edu so documentation can be updated and the proper contact identified.

This answer depends on a number of factors, including the type and volume of information handled by your service, as well as the impact an incident related to it could have on the institution.

At least one assessment must be completed before November of 2020 to maintain compliance with State of Texas administrative code. Once that’s done, the next annual assessment can be scheduled at any point in following year.

There are a few possible reasons. A formal service evaluation may not have been previously conducted, or the risk presented by your product may have changed relative to other contemporary services.

Probably not. Contact InfoSecGRC@txstate.edu with more information about how and when the product was decommissioned.

Information gathered by ongoing risk assessments are used by the ISO to gain a holistic, quantifiable image of the security risks presented to the university and to address one-off findings as well as potential “hot spots” that may be common across several services. Information about these security risks are also reported in varying detail to the university’s President, the Vice President of IT, and the rest of the president’s cabinet, along with the State’s Department of Information Resources.

Absolutely. Please contact InfoSecGRC@txstate.edu with your request.

In almost every case, yes. Please contact InfoSecGRC@txstate.edu with your request and more information about the assessable objects for which ongoing risk assessments should be scheduled.